Announcement

Collapse
No announcement yet.

James Kettle - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • James Kettle - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling

    James Kettle - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling


    James 'albinowax' Kettle, Director of Research, PortSwigger, he/him
    Presentation Title: Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling
    Length of presentation: 45 minutes
    Demo, Exploit

    The recent rise of HTTP Request Smuggling has seen a flood of critical findings enabling near-complete compromise of numerous major websites. However, the threat has been confined to attacker-accessible systems with a reverse proxy front-end... until now.

    In this session, I'll show you how to turn your victim's web browser into a desync delivery platform, shifting the request smuggling frontier by exposing single-server websites and internal networks. You'll learn how to combine cross-domain requests with server flaws to poison browser connection pools, install backdoors, and release desync worms. With these techniques I'll compromise targets including Apache, Akamai, Varnish, Amazon, and multiple web VPNs.

    While some classic desync gadgets can be adapted, other scenarios force extreme innovation. To help, I'll share a battle-tested methodology combining browser features and custom open-source tooling. We'll also release free online labs to help hone your new skillset.

    I'll also share the research journey, uncovering a strategy for black-box analysis that solved several long-standing desync obstacles and unveiled an extremely effective novel desync trigger. The resulting fallout will encompass client-side, server-side, and even MITM attacks; to wrap up, I'll demo breaking HTTPS on Apache.


    SPEAKER BIO(S)
    James 'albinowax' Kettle is the Director of Research at PortSwigger - he's best known for his HTTP Desync Attacks research, which popularized HTTP Request Smuggling. James has extensive experience cultivating novel attack techniques, including web cache poisoning, HTTP/2 desync attacks, Server-Side Template Injection, and password reset poisoning. James is also the author of multiple popular open-source tools including Param Miner, Turbo Intruder, and HTTP Request Smuggler. He is a frequent speaker at numerous prestigious venues including both Black Hat USA and EU, OWASP AppSec USA and EU, and DEF CON.

    Personal site: https://skeletonscribe.net/
    Twitter: https://twitter.com/albinowax

    REFERENCES:
    This work is primarily built on my two prior explorations into request smuggling:
    https://portswigger.net/research/htt...uggling-reborn
    https://portswigger.net/research/http2

    With some useful knowledge gained from the classic paper by Amit Klein et al, and his much more recent presentation:
    https://www.cgisecurity.com/lib/HTTP...-Smuggling.pdf
    https://www.youtube.com/watch?v=Zm-myHU8-RQ

    I also attempted to adapt some techniques from Martin Doyhenard's talk at DEF CON 29. This didn't work out in the scenarios I encountered, but could definitely be valuable sometimes:
    https://www.youtube.com/watch?v=suxDcYViwao



    []
    Last edited by number6; June 7, 2022, 17:56.
Working...
X